Yeah, I think I was right and wrong. Right in that the microcode cannot fix the problem but wrong in that the microcode can disable the problematic features (speculative execution, ???) to foil the attack. Unfortunately, that will be a significant and forever performance hit for existing processors.

It makes sense that the features can be enabled and disabled via microcode.